Down the Security Rabbithole, The BlogThis is a collection of my thoughts and ideas, and anything expressed here is unrelated to anything in real life and does not represent opinions of clients, employers or colleagues. If it feels a little bit like stream-of-consciousness, it probably is.

Tuesday, October 27, 2009

CSI: Annual 2009

Hello everyone, day 2 is behind us now at CSI: Annual 2009 and I wanted to post some thoughts, now that I've completed the panel at the Web Security Summit, and my 9:45am talk on "A Risk Focused Approach to Web App Security" (slides coming soon...).

First the attendees ... where's the passion? Where's the love for what you're doing? I see attendees slumped over, walking from session to session heads-down on their blackberries ... they walk in, sit down, and open the laptop and tune out. Aren't you here because you want to learn something? ... hear something new? Are we, the speakers, failing to impress? (more on this in a moment) So I have to say that the attendees this year are sparse and just have way too many of the glazed-over, glossy-eyed looks about. Getting this year's attendees to participate in a session is damn near impossible ... and not for lack of trying! (if you know me, or have been to one of my talks, you know I speak the truth ) The panel I hosted yesterday titled "Web Security Summit" had a decent crowd, yet far from what I was hoping for. That aside, almost everyone that was in there simply sat and stared when we the panelists tried to engage our audience! Only the brave (attentive?) raised their hands, few answered questions, even fewer asked questions ... it was painful. We did get, towards the end, on a few fiery topics like PCI and some privacy issues which really got a few of the attendees fired up and going ... and for that I thank you deeply. Sadly, though, for the 5 or so people who never looked up from your laptops (and are unlikely to be reading this post) ... what were you doing, taking notes I hope?

Next, I want to say thank you to Jen Jabbusch, Josh Abraham, Sharon Besser, and Mike Bailey for being on my panel, and contributing to some very interesting conversations. Even if the crowd was apathetic ... at least I know you guys still love your jobs and feel strongly about the big issues!

Now, let me move on to the speakers. I'm not going to bash anyone or critique because I'm no world-class speaker either ... but many of the presentations that were given continue to be lack-luster, and quite honestly dry. I think we have the information, the content is there ... but we need to figure out a way to be more dynamic, more engaging and get the attendees to pay attention and give a sh** more! I'm not sure how that can be accomplished quit yet - I'm working on it.

As for the quality of the conference overall, I think Robert, Dina and Sara did a fantastic job as always working with what was available ... we all expected a lower turnout this year given shrinking budgets and corporate belt-tightening. You guys were, as always, great to work with and I hope I was able to contribute to the quality of the conference in a positive way.

Now, for the most important thing ... the side conversations that happen in-between talks, in the hallways and watering holes of the venue. I think what I'll take back with me most of all is the fact that I am continually reminded how little I know by people around me. I had the pleasure of having lunch today with @mubix, @jabra, and @mckt_ and quite honestly ... that was awesome. We covered a wide range of topics from Metasploit, to web app hacking, to creating some truly evil integrations of long-forgotten tools ... there is some great work coming! I think that the projects and ideas we outlined over lunch is about 6 months of work for ourselves; and will probably be 2 years of work for everyone else... well done guys, well done.

I guess overall while I'm disappointed at one end, conferences like this still bring brilliant minds together and at the end of the day I'm just happy to be a part of it and contribute in what ever way I can.

Next up ... AppSec DC!

Edit: I can't hold it in... I don't need to repeat the content of the Twitter stream we launched ... but I'm going to simply say that no one should ever say the word "turnkey" coupled with "security" ever again. It makes zero sense, so stop it. Also, if you're going to claim to be a subject-matter expert at least make sure that your information is relevant (say, within the last 18 months?) and that you can articulate what you want to say ... eesh.

About Me

Technology is pushing us along and becoming pervasive in our lives orders of magnitude faster than we can fully comprehend the ramifications of these changes.

Technology promises to change our lives, but at what price? The more heavily our daily lives rely on technology the greater the impact of a breach or a malicious attack. Our toasters can't kill us ... yet, but I suspect the day is coming.

As someone who has been involved in the defensive enterprise side of security for well over a decade, I emplore you to join me and focus our efforts on building better, more resilient systems which can not only support and enrich our lives, but also stand up to misuse and attack better.

Remember, prevention is a myth the snakeoil sales man sells. Real security comes from the ability to detect, respond, and resolve critical issues in a meaningful way.